California Sets New Standard for Data Privacy with CCPA

Late last year, the California Consumer Privacy Act of 2018 (CCPA) was passed into law, and with it, high-tech electronics organizations are grappling with yet another complex and demanding set of data privacy regulations. Although aimed at protecting consumer privacy, by necessity, these regulations will change the way that electronics OEMs manage their data.

When Governor Jerry Brown signed the bill, California became the first U.S. state to pass its own data privacy law, dubbed the California Consumer Privacy Act (CCPA). The act goes into effect on January 1, 2020, and will provide the state’s 40 million residents with rights similar to those granted to European citizens through the General Data Protection Regulation (GDPR) that the European Union (EU) put into effect in May 2019.

“For electronics companies, what will be at issue is personal information of customers, including direct to consumer information, marketing lists, and warranties as well as the personal information of employees,” said Laura Jehl, a partner at law firm BakerHostetler.

Although similar, the two are not the same. See the infographic below from DemandLab to see a comparison of the California law compared to those passed in the EU. “The CCPA and the GDPR are different in material ways,” said Alan Friel, a partner at law firm BakerHostetler. “A company that has prepared for GDPR may be able to build off those efforts and use some of those same data management tools. However, the rights and methodologies are somewhat different.”

The CCPA demands mandatory compliance from businesses in a variety of categories:

Those with a gross revenue of more than $35 million;

Those that annually buy, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households or devices; or

Those that derive 50% or more of their annual revenues from the sale of consumers’ personal information.

Further, the complexity of data privacy will likely grow over time. A handful of other states are following a similar path, and a handful of bills are being considered at the federal level. As this shakes out, organizations will likely be dealing with a patchwork of data privacy laws that will be difficult to manage.

The time to start thinking about data handling is now. Organizations should consider how to change their technologies and business processes to be in compliance. “As with most regulations, the California Consumer Privacy Act is setting general requirements and expected penalties rather than giving actual tools for improvements,” said Matan Or-El, co-founder and CEO of Panorays. “The idea is that in the face of potential penalties, organizations would create or purchase the appropriate tools and processes.”

If a consumer asks that his or her data be deleted, then the organization is responsible for knowing where to find the information so it can be removed. “The most important thing is to start to get a handle on data mapping and data flows,” said Jehl. “They need to understand whose information they are collecting, who they are sharing it with, and what third parties have access. Today, many organizations don’t have a clear idea.”

Lack of compliance has the potential to be costly. “Penalties can be high $2,500 per instance on data subject basis,” said Friel. “Organizations do have a right to cure , that is to fix things that can be fixed.”

Further, the state is promising to police compliance diligently. The California attorney general has made statements that his office will hire a couple of dozen lawyers to do enforcement, Friel explained. Further, funds collected through enforcement will be used to fund enforcement. “We expect to see robust enforcement,” he added.

The bottom line? “If you aren’t GDPR compliant, you have a lot of work to do to get ready for CCPA,” said Friel. “If you are GDPR compliant, that alone won’t be enough.”